CVE-2022-22589: Versions affected: WebKitGTK and WPE WebKit before 2.34.5. Credit to Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com). Impact: Processing a maliciously crafted mail message may lead to running arbitrary javascript. Description: A validation issue was addressed with improved input sanitization. CVE-2022-22590: Versions affected: WebKitGTK and WPE WebKit before 2.34.5. Credit to Toan Pham from Team Orca of Sea Security (security.sea.com). Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management. CVE-2022-22592: Versions affected: WebKitGTK and WPE WebKit before 2.34.5. Credit to Prakash (@1lastBr3ath). Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced. Description: A logic issue was addressed with improved state management. Please bump to 2.34.5.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=873bf3aa31ec4bd58ad472ede5020b734f90f31d commit 873bf3aa31ec4bd58ad472ede5020b734f90f31d Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2022-02-09 19:11:03 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2022-02-09 19:12:37 +0000 net-libs/webkit-gtk: Version bump to 2.34.5 Bug: https://bugs.gentoo.org/832990 Closes: https://bugs.gentoo.org/832894 Signed-off-by: Matt Turner <mattst88@gentoo.org> net-libs/webkit-gtk/Manifest | 1 + net-libs/webkit-gtk/webkit-gtk-2.34.5.ebuild | 273 +++++++++++++++++++++++++++ 2 files changed, 274 insertions(+)
Thanks! Please stabilize when ready.
For 2.34.5 I'm getting ``` >>> Configuring source in /var/tmp/portage/net-libs/webkit-gtk-2.34.5/work/webkitgtk-2.34.5 ... * ERROR: net-libs/webkit-gtk-2.34.5::gentoo failed (configure phase): * USE Flag 'test' not in IUSE for net-libs/webkit-gtk-2.34.5 * * Call stack: * ebuild.sh, line 127: Called src_configure * environment, line 4053: Called usex 'test' * phase-helpers.sh, line 213: Called use 'test' * phase-helpers.sh, line 252: Called die * The specific snippet of code: * die "USE Flag '${u}' not in IUSE for ${CATEGORY}/${PF}" * * If you need support, post the output of `emerge --info '=net-libs/webkit-gtk-2.34.5::gentoo'`, * the complete build log and the output of `emerge -pqv '=net-libs/webkit-gtk-2.34.5::gentoo'`. * The complete build log is located at '/var/tmp/portage/net-libs/webkit-gtk-2.34.5/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/net-libs/webkit-gtk-2.34.5/temp/environment'. * Working directory: '/var/tmp/portage/net-libs/webkit-gtk-2.34.5/work/webkitgtk-2.34.5' * S: '/var/tmp/portage/net-libs/webkit-gtk-2.34.5/work/webkitgtk-2.34.5' * Messages for package net-libs/webkit-gtk-2.34.5: * ERROR: net-libs/webkit-gtk-2.34.5::gentoo failed (configure phase): * USE Flag 'test' not in IUSE for net-libs/webkit-gtk-2.34.5 * * Call stack: * ebuild.sh, line 127: Called src_configure * environment, line 4053: Called usex 'test' * phase-helpers.sh, line 213: Called use 'test' * phase-helpers.sh, line 252: Called die * The specific snippet of code: * die "USE Flag '${u}' not in IUSE for ${CATEGORY}/${PF}" ``` Should I file this under another bug?
(In reply to Albert W. Hopkins from comment #3) > For 2.34.5 I'm getting > > ``` > >>> Configuring source in /var/tmp/portage/net-libs/webkit-gtk-2.34.5/work/webkitgtk-2.34.5 ... > * ERROR: net-libs/webkit-gtk-2.34.5::gentoo failed (configure phase): > * USE Flag 'test' not in IUSE for net-libs/webkit-gtk-2.34.5 > * > * Call stack: > * ebuild.sh, line 127: Called src_configure > * environment, line 4053: Called usex 'test' > * phase-helpers.sh, line 213: Called use 'test' > * phase-helpers.sh, line 252: Called die > * The specific snippet of code: > * die "USE Flag '${u}' not in IUSE for ${CATEGORY}/${PF}" > * > * If you need support, post the output of `emerge --info > '=net-libs/webkit-gtk-2.34.5::gentoo'`, > * the complete build log and the output of `emerge -pqv > '=net-libs/webkit-gtk-2.34.5::gentoo'`. > * The complete build log is located at > '/var/tmp/portage/net-libs/webkit-gtk-2.34.5/temp/build.log'. > * The ebuild environment file is located at > '/var/tmp/portage/net-libs/webkit-gtk-2.34.5/temp/environment'. > * Working directory: > '/var/tmp/portage/net-libs/webkit-gtk-2.34.5/work/webkitgtk-2.34.5' > * S: '/var/tmp/portage/net-libs/webkit-gtk-2.34.5/work/webkitgtk-2.34.5' > * Messages for package net-libs/webkit-gtk-2.34.5: > * ERROR: net-libs/webkit-gtk-2.34.5::gentoo failed (configure phase): > * USE Flag 'test' not in IUSE for net-libs/webkit-gtk-2.34.5 > * > * Call stack: > * ebuild.sh, line 127: Called src_configure > * environment, line 4053: Called usex 'test' > * phase-helpers.sh, line 213: Called use 'test' > * phase-helpers.sh, line 252: Called die > * The specific snippet of code: > * die "USE Flag '${u}' not in IUSE for ${CATEGORY}/${PF}" > ``` > > Should I file this under another bug? Should be fixed by https://github.com/gentoo/gentoo/commit/9cbf4a0dc3a6b6412acadc9558d4d068f5af860e
> Should be fixed by > https://github.com/gentoo/gentoo/commit/ > 9cbf4a0dc3a6b6412acadc9558d4d068f5af860e Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5526c1acd16c113397ef0c689aadc00fe88ab94 commit d5526c1acd16c113397ef0c689aadc00fe88ab94 Author: Matt Turner <mattst88@gentoo.org> AuthorDate: 2022-03-18 19:18:08 +0000 Commit: Matt Turner <mattst88@gentoo.org> CommitDate: 2022-03-18 19:23:32 +0000 net-libs/webkit-gtk: Drop old versions Bug: https://bugs.gentoo.org/831739 Bug: https://bugs.gentoo.org/832990 Signed-off-by: Matt Turner <mattst88@gentoo.org> net-libs/webkit-gtk/Manifest | 2 - net-libs/webkit-gtk/webkit-gtk-2.34.3.ebuild | 272 --------------------------- net-libs/webkit-gtk/webkit-gtk-2.34.4.ebuild | 272 --------------------------- 3 files changed, 546 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=1d278bb93fbf8fdb34ef9c125c5f4536e11c15d7 commit 1d278bb93fbf8fdb34ef9c125c5f4536e11c15d7 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-31 23:54:04 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-31 23:56:59 +0000 [ GLSA 202208-39 ] WebKitGTK+: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/832990 Bug: https://bugs.gentoo.org/833568 Bug: https://bugs.gentoo.org/837305 Bug: https://bugs.gentoo.org/839984 Bug: https://bugs.gentoo.org/845252 Bug: https://bugs.gentoo.org/856445 Bug: https://bugs.gentoo.org/861740 Bug: https://bugs.gentoo.org/864427 Bug: https://bugs.gentoo.org/866494 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202208-39.xml | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+)
